Date: Fri, 10 Dec 93 16:03:32 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#005
Computer Privacy Digest Fri, 10 Dec 93 Volume 4 : Issue: 005
Today's Topics: Moderator: Leonard P. Levine
Help finding code of practice
Re: Is PGP really Uncrackable?
Re: Is PGP really Uncrackable?
Re: Is PGP really Uncrackable?
Re: Is PGP really Uncrackable?
Re: Is PGP really Uncrackable?
Re: Is PGP really Uncrackable?
Re: Right To Search Floppy Disks?
Re: Right To Search Floppy Disks?
Re: Right To Search Floppy Disks?
Re: Guns Control/Registration/Confiscation
"Sneakers" (long)
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Kasthuri Jayaraman 61-89-895280 <kj@golem.dme.nt.gov.au>
Date: Fri, 10 Dec 93 10:43:08 CST
Subject: Help finding code of practice
hi,
Our computing section has informed me that a Code of practice on
computer security has been published jointly this week by the UK
government and the industry and they would like a copy of it. We
don't know the Bibliographic details to order this item. Could you
please fax me the details?
The reference appeared in the NEW SCIENTIST, 2 OCT 1993 issue on page 12.
thanking you for your help
kasthuri
------------------------------
From: matt@ra.oc.com (Matthew Lyle)
Date: Tue, 7 Dec 1993 23:52:19 GMT
Subject: Re: Is PGP really Uncrackable?
Organization: OpenConnect Systems, Dallas, TX
Chris Burris <cburris@cap.gwu.edu> writes:
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain.
>Is this true?
Sounds like fiction to me. The authors of the current versions of PGP are
not US citizens or residents of the USA.
--
Matthew Lyle matt@oc.com
matt@utdallas.bitnet
OpenConnect System, Dallas, Texas (214) 888-0474
------------------------------
From: Richard Roda <rerodd@eos.ncsu.edu>
Date: Wed, 8 Dec 1993 01:24:12 GMT
Subject: Re: Is PGP really Uncrackable?
Organization: North Carolina State University, Project Eos
In article <comp-privacy4.4.2@cs.uwm.edu> Chris Burris <cburris@cap.gwu.edu> writes:
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain.
>Is this true?
>
No. The article made obvious mistakes. It said "Paul Zimmerman" when the
author of PGP is Phil Zimmerman. It was 99 44/100% Pure BS.
--
--
PGP 2.3 Public key by mail | Richard E. Roda <rerodd@eos.ncsu.edu>
Disclaimer-------------------------------------------------------------
| The opinons expressed above are those of a green alien who spoke to |
| me in a vision. They do not necessarly represent the views of NCSU |
| or any other person, dead or alive, or of any entity on Earth. |
-----------------------------------------------------------------------
------------------------------
From: fec@arch4.ho.att.com (F E Carey +1 908 949 8049)
Date: Tue, 7 Dec 93 20:49:39 EST
Subject: Re: Is PGP really Uncrackable?
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain.
>Is this true?
As crazy as this sounds it has a certain "Inslaw/Reconosciuto" ring.
Frank Carey at Bell Labs f.e.carey@att.com
------------------------------
From: kkruse@enterprise.ksu.ksu.edu (Korey J. Kruse)
Date: Wed, 8 Dec 93 03:03:20 CST
Subject: Re: Is PGP really Uncrackable?
Chris Burris <cburris@cap.gwu.edu> writes:
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain.
>Is this true?
Nope. PGP is distributed with source code. You can examine it all
you want. Numerous experts in cryptography have (check out sci.crypt)
and determined that the program does not have any "trap doors"
This story has been circulating on many newsgroups...it originally
started as prank. Unfortunately too many people take the news they
read as the word of God and then propogate misinformation. You have
been a victim of this.
--
_ _ _ _ _ _ kkruse@ksuvm.bitnet
|/ | | |_) |_ \ / | |/ |_) | | (_` |_ kkruse@ksuvm.ksu.edu
|\ |_| | \ |_ | (_| |\ | \ |_| ._) |_ kkruse@matt.ksu.edu
------------------------------
From: WHMurray@dockmaster.ncsc.mil
Date: Wed, 8 Dec 93 09:16 EST
Subject: Re: Is PGP really Uncrackable?
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea
>bargain.
>Is this true?
No.
This myth is the result of a satirical (and irresponsible) post. The
satire was lost on the uninitiated.
William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL
------------------------------
From: mch@sqwest.wimsey.bc.ca (Mark C. Henderson)
Date: Wed, 8 Dec 1993 22:28:58 GMT
Subject: Re: Is PGP really Uncrackable?
Organization: SoftQuad Inc. (POSTER IS NOT A SPOKESPERSON FOR SOFTQUAD INC.)
In article <comp-privacy4.4.2@cs.uwm.edu> Chris Burris <cburris@cap.gwu.edu> writes:
>I have heard recently that the author of PGP was forced by the NSA to
>insert a trapdoor into PGP. He was allegedly charged with traffiking
>narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain.
>Is this true?
Not quite. They just killed Phil "aka Paul" Zimmerman and replaced
him with an android. ;-)
Now more seriously, the source code the PGP is publically available.
Any attempt to insert a back door into the "official" source code
would almost certainly be detected.
Mark
--
Mark Henderson, SoftQuad Inc., 108-10070 King George Hwy, Surrey, B.C. V3T 2W4
Internet: mch@sqwest.wimsey.bc.ca, markh@wimsey.bc.ca Voice: +1 604 585 8394
Fax: +1 604 585 1926 RIPEM MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433
ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46
------------------------------
From: nevin@cs.arizona.edu (Nevin Liber)
Date: 7 Dec 1993 18:21:43 -0700
Subject: Re: Right To Search Floppy Disks?
Organization: University of Arizona CS Department, Tucson AZ
In article <comp-privacy4.4.4@cs.uwm.edu>,
Justin Fidler <jfidler@cap.gwu.edu> wrote:
>It's a bit of a unique situation. Students purchase the disks from the
>school for $1.00 or may bring in their own. The student must keep this disk
>in a classroom disk box that the school provides that is locked at the end of
>the class. The reason for not letting students to take disks home, they
>claim, is that students could bring viruses onto the network.
Here is a thought: suppose the disk in question had a virus on it, and
the administration confuscates the disk and tries to read the disk,
thus invoking the virus. Who is responsible for this? Does the
responsibility change if the student wrote the virus as an intellectual
exercise but never intended to invoke it? Suppose the damage was
accidental due to a buggy program? Now who is responsible?
I doubt that schools have "clean" machines that they test these disks
on. I doubt that most school administrators would even think about
protecting themselves from this threat.
--
Nevin ":-)" Liber nevin@cs.arizona.edu (602) 293-2799
^^^ (520) after 3/95
------------------------------
From: swd_lrr@genb.cca.cr.rockwell.com ()
Date: Wed, 8 Dec 93 16:59:38 GMT
Subject: Re: Right To Search Floppy Disks?
Organization: Rockwell International
>>Dick Murtagh (8-465-4916) <dickm@vnet.ibm.com> wrote:
>>Disclaimer: I am not a lawyer. Do not take this as legal advice :
>>It's a matter of who owns the disks. Are they borrowed from the school
>>or were they purchased by the student ? If they belong to the school,
>>then the school can search them at any time (like the lockers).
> So, if I borrow a sheet of paper from a friend, that friend "owns"
> whatever I have written on it?? I do not believe that that is a
> reasonable expectation. If it is, I'll loan all my favorite authors
> all the paper they want. :-_
Not so. However, that person has a right to read anything legible thereon when
you return it, even if he demands you return it with no notice.
Lance ==)--------
-=[ Floccipaucinihilipification is worthless! ]=-
--
--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--
Lance.Reichert@f120.n283.z1.fidonet.org ||
-or- swd_lrr@afds.cca.cr.rockwell.com || Don't believe everything you read.
8E03 8D25 7D69 07F4 8845 6CCA 28E8 67CF|| Whatever you _do_ believe, make
BOMBREAKGBORDERESERVENCRYPTARGETRAITORSA|| sure you DON'T believe the opinions
PGPRESIDENTWACKENHUTFEMARSHALLETHALAJFBI|| embodied herein are Rockwell's!
EXPOSECRETFEDERALIASCIASSASINATEDEAGUNSA||
--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--
------------------------------
From: bitbug@netcom.com (James Buster)
Date: Thu, 9 Dec 1993 00:27:51 GMT
Subject: Re: Right To Search Floppy Disks?
Organization: Lynx Real-Time Systems, Inc.
In article <comp-privacy4.3.1@cs.uwm.edu> ranck@joesbar.cc.vt.edu (Wm. L. Ranck) writes:
>Actually I think folks seem to have a basic misconception here. It is
>precisely *because* they are not the police that they can do locker searches,
>etc. The police are held to a higher standard for probable cause to search.
That is, precisely, the problem. In most(all?) public schools, school
administrators are government employees. I think that *all* government
employees should be held to the same standard of conduct as police officers.
Otherwise you have the current intolerable situation where "Oh, she's not a
*police officer*, she's an *administrator*.". Just wait until some idiot
bureaucrat figures this out, and sends administrators to illegally search
your home: "It's ok, they're not police officers.".
--
James Buster
bitbug@netcom.com
------------------------------
From: steele!basile@uunet.uu.net (Steve Basile)
Date: 8 Dec 1993 01:20:48 GMT
Subject: Re: Guns Control/Registration/Confiscation
Organization: I Don't Speak For...Tivoli Systems, Inc. - Austin, TX
In article <comp-privacy3.83.1@pica.army.mil> David Horvath
<dhorvath@sas.upenn.edu> writes:
>> I have been taking all of this Brady Bill info in with utter amazement
>> at the NRA stand, which is that once an instant background check is
>> available, the waiting period should be phased out. Am I missing
>> something here? An instant background check sounds to me like a
>> [more stuff about registering and confiscation of firearms that in
>> theory should be protected by the 2nd admendment DELETED]
>
>> Where is the NRA's head at with this, anyway? This whole "instant,
>> computerized" nonsense scares me more than any stupid waiting period (which
>> by the way, we have had here in Minnesota for years).
>
> While I share many of these same concerns, I feel it *would* be
>possible to implement such a system without identifying *what* or *how
>many* you were buying. A simple NCIC check would show if you were a
>convicted felon and the addition of a 'mental stability' flag to the
>database would be a simple matter.
>
> <stuff deleted on PA 3 day check, etc>
> In order to get a permit to concealed-carry a handgun in Pennsylvania,
>you have to supply references, answer a questionaire (are you a drunkard,
>etc), supply 2 passport sized photos, and pay a fee. The references, the
>local police (who better to know if you're a trouble maker), and often
>your neighbors are contacted. I assume a lookup is done in the NCIC.
>
I just moved to TX from NY, and am now more aware of the VARIETY of gun
control laws that exist. In NY (UPState, not NYC) I applied for a permit
to carry in September, 1981. I got it in late November that year, after
submitting:
1. Five sets of fingerprints (for local, county, state, FBI, BATF)
2. Five photographs (for same police departments, agencies)
3. Three signed affidavits from references who are not
related and have known me more than three years, attesting
to my good character.
4. Evidence that I have successfully completed a pistol safety
course (sponsored and delivered by an NRA chapter, BTW)
5. An application listing all biographical info, previous address
info, employer and a reason for wanting a gun (protection)
Three MONTHS later, I was called before a County Court judge who
signed my permit. I was allowed at that point to purchase ONE weapon.
Additional weapons require a trip to the county courthouse, fill out an
application, then wait a week or so for them to process the app during
which time, assumedly, they ascertain you are not a crook. Hence...
A Brady Bill-induced five day waiting period is of little consequence. My
permit is NOT valid in the 5 Boroughs (counties) that make up NYC.
Permits there require a psychiatric evaluation, and NYPD commissioner
approval, and must be renewed every year.
In Texas, all I have to do is show a drivers' license, fill out a form
(that is not even sent in to a central bureau, but kept in the store)
and then pay cash, check or credit card. The only "check" done in TX
is a credit check. Big difference. No concealed weapon permits are
available here though, unless you are a "peace officer."
Bottom line: when I buy a sofa with a credit card, the cashier knows
within 30 seconds whether or not I have sufficient credit. If I am
turned down, the cashier does not know whether I am a deadbeat, or if
there is a network problem, or if I just missed a payment. The NCIC
check should be similarly implemented, and I would welcome it.
"Sorry sir/ma'am, your transaction was denied. You'll have to check with
your local PD (like checking with your bank) to clear this up, then we'll
be glad to sell you this handgun." No "authorization code" no gun.
Bad news though. Even in tough-gun-law central, NYC, if I have about
$150.00 and a little time (3o minutes or so) I can get a cheap revolver
near Union Square park or over on 8th Avenue with NO paperwork. Laws
address the law-abiding folks, sorry...
--
Stephen Basile |"If you stay in Beverly Hills too long,
A Cog In The Machine | you become a Mercedes" --R. Redford ____
Tivoli Systems Inc. | \ /
basile@tivoli.COM | DISCLAIMER: _MY_ thoughts, OUR world. \/
------------------------------
From: roberts@decus.arc.ab.ca (Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067)
Date: 9 Dec 1993 14:43:12 -0600
Subject: "Sneakers"
Organization: UTexas Mail-to-News Gateway
MVSNEAKR.RVW 931028
"Sneakers", Universal Pictures
In trying to come up with a computer film festival after "Colossus," "War
Games" and "Sneakers," we quickly ran out of ideas. (The electronic
communications in "Jack Flash" were important, but not a major part of the
story.) "Sneakers" received a lot of publicity on the net at its release, not
least because of the "technical advice" given to the movie by a famous hacker
and phone phreak. (It is not for nothing that there are so many references to
"Captain Crunch" in the movie. He took his nom-de-guerre from the discovery
that a prize whistle which came in boxes of the cereal gave out the 2600 hertz
tone which could be used to command older telephone switches.) ("2600"
magazine also takes its name from this fact. The tone, not the cereal.)
Falling generally into the thriller, rather than science fiction, genre,
"Sneakers" will not likely become either a cinematic or a cult classic. While
not, perhaps, of the first rank, it should nonetheless hold a reasonably high
place in the second rank of recent movies. (Readers are free, of course, to
consider this scant praise.)
Character development is scant, and social, as well as technical, absurdities
are present. At one point the bad guys are tipped off by a supposed mismatch
in a couple purportedly assigned by a computer dating service: any normal human
would know that a meat market is a meat market, regardless of any hype over
computerization. There are other places where the logical takes second place
to the visual. Seminar speakers do *not* stand where the overhead can shine in
their eyes. Teachers (particularly in the U.S.) do *not* have apartments out
of "Better Homes and Gardens." Security guards do not pull random wires out of
security camera clusters. Continuity could use some work, too. At one point,
literally hundreds of armed guards pour out of the rhododendrons, enough to
fill all the corridors and stairways in the complex: within five minutes the
heroes are able to run the length of the complex (and up the stairway where the
guard was so suspicious of the wiring) without seeing a soul.
(In counterpoint to some unutterably bleak scenes, most of the movie contains
wit and humour. The negotiations between the hackers and the NSA are
hilarious. Unrealistic, with three people facing you carrying machine guns,
but hilarious.)
In comparative terms the technical detail is fairly reasonable. The story
hinges on the existence of a "universal" code breaker. For existing encryption
and decryption techniques, it is known just how difficult it is to break a
given code. However, as the inventor states in the movie, "What if there is
another way?" We do not yet know enough about information to say that there is
*not* another way to extract the meaning from encrypted data. (It is unlikely,
but not absolutely impossible.) This does, however, preclude the reasoning in
the film that such a device would not be of use for different types of codes.
Universal is universal. (It would probably make for great translation
software, too ...)
The technical trappings of the movie, though, again suffer from the dictates of
the artistic director. I actually do own an acoustic coupler modem, obtained
when I bought a computer for its historical value. (I have no idea whether or
not it actually still works.) A computer display at one point purports to show
the progress of a telephone call being traced: it bears a striking resemblance
to the (equally unrealistic) "burning fuses" used to light off explosives in
other thrillers. Decryption is unlikely to result in letters tumbling and
falling into place like slot machine wheels, and it is equally unlikely that
decrypted text suddenly becomes a graphical map. (Then again, text versus
graphical representation *is* an aspect of meaning ... ) A Cray XMP-3 doesn't
run Windows (although it is probably the only platform that could give you that
kind of response time).
The composition of the "tiger team" is very realistic in that the diverse skill
sets would be very useful. Getting them to work together is another matter.
The prevalence of criminal records would seriously hamper their ability to get
contracts, but all indications in the movie are that they aren't exactly flush
anyway. (The ubiquity of Chinese take-out food and the difficulty in finding a
girlfriend willing to play Mata Hari are also realistic. As, interestingly, is
the association of mathematical and musical skill.)
"Sneakers" is by no means perfect, but it shows a welcome trend towards a more
realistic treatment of technology in popular entertainment.
copyright Robert M. Slade, 1993 MVSNEAKR.RVW 931028
======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca
------------------------------
End of Computer Privacy Digest V4 #005
******************************
.